Market Monitor

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed read-only market monitoring skill, with some normal cautions around exchange API keys and polling.

Use a dedicated read-only or market-data-only exchange API key, do not provide trading or withdrawal-enabled credentials, and avoid supplying OKX secret/passphrase values unless a later reviewed workflow clearly needs them. Configure polling intervals and alert conditions explicitly, and treat generated trading signals as informational rather than financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger condition includes a very broad rule—"用户询问行情或价格" (user asks about market conditions or price)—without clear scoping, namespace, or confirmation requirements. In an agent environment, this can cause the skill to activate on ordinary conversation about prices or markets, leading to unintended external API calls, context switching, and possible leakage of user intent or metadata to third-party services.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal